Collect File System (FS) Events

Overview

Evidence: Collect File System (FS) Events Description: Collect File System Events Category: DiskFilesystem Platform: macos Short Name: fsevnts Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

FSEvents maintains a journal of file system changes. This data is essential for reconstructing file activity timelines and detecting suspicious modifications.

Data Collected

This collector gathers structured data about collect file system (fs) events.

Collection Method

This collector copies entries from /System/Volumes/Data/.fseventsd/ into the case content for offline analysis.

Forensic Value

This evidence is crucial for forensic investigations as it reveals file creations, deletions, and renames even when file metadata is missing.

PreviousFirefox Extensions NextParse File System (FS) Events

Last updated 3 days ago

Was this helpful?